Tech Giants Brace for Europe’s New Data Privacy Rules

Facebook’s London office. The social network has not rolled out certain products in Europe because they may violate the region’s privacy laws.Credit Daniel Leal-Olivas/Agence France-Presse — Getty Images

SAN FRANCISCO — Over the past two months, Google has started letting people around the world choose what data they want to share with its various products, including Gmail and Google Docs.

Amazon recently began improving the data encryption on its cloud storage service and simplified an agreement with customers over how it processes their information.

And on Sunday, Facebook rolled out a new global data privacy center — a single page that allows users to organize who sees their posts and what types of ads they are served.

While these changes are rippling out worldwide, a major reason for these shifts comes from Europe: The tech giants are preparing for a stringent new set of data privacy rules in the region, called the General Data Protection Regulation.

Set to take effect on May 25, the regulations restrict what types of personal data the tech companies can collect, store and use across the 28-member European Union. Among their provisions, the rules enshrine the so-called right to be forgotten into European law so people can ask companies to remove certain online data about them. The rules also require anyone under 16 to obtain parental consent before using popular digital services. If companies do not comply, they could face fines totaling 4 percent of their annual revenue.

close story-body close supplemental

close story-body-supplemental

With the deadline for the new rules now just a few months away, Silicon Valley’s tech behemoths have been scrambling to get ready. Facebook and Google have deployed hundreds of people to make sense of the regulations. Many of the companies have overhauled how they give users access to their own privacy settings. Some have redesigned certain products that suck up too much user data. And in some cases, companies have removed products entirely from the European market because they would violate the new privacy rules.

“Every person who works for us has, in some way, been involved in preparing the company for G.D.P.R.,” said Doug Kramer, general counsel of CloudFlare, an internet performance and security company based in San Francisco that has tightened its data storage and processing practices. “G.D.P.R. is going to introduce very fundamental changes to the way the internet works for everyone.”

Photo

President Emmanuel Macron of France met with Google’s chief executive, Sundar Pichai, this month. Google said it will be ready when Europe’s new data protection rules take effect this May.Credit Pool photo by Thibault Camus

The rush of activity is a reminder of how Europe has set the regulatory standard in reining in the immense power of tech giants, while other places — including the United States — have largely taken a noninterventionist stance. The G.D.P.R. rules were approved in late 2015 after tech companies like Facebook ran into problems over data protection with national privacy watchdogs in various European countries.

European officials said the coming rules are forcing American tech giants to take a step back.

“There has not been any pushback from American companies,” said Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality. “If anything, they seem very eager to understand how exactly they can comply with the regulation.”

Officials from Facebook, Google and other companies said in interviews that they had been working to give people more control over what data they share anyway. In the past, many of the companies fought back in European courts over privacy rules and declined to offer certain products in the region rather than redesign them to meet privacy standards.

The coming of the new rules has nonetheless pushed a huge scale of internal change, Gilad Golan, Google’s director for security and data protection, said at a San Francisco event last month to introduce new security features. “When G.D.P.R. goes into effect in 2018, we will be ready,” he said.

The biggest challenge, he said, has been preparing for the regulation’s mandate that people in Europe must have control over how their digital data is organized. Google, he said, has had to go through each of its services — from Gmail to its Cloud storage services — to comply. Since the new rules require individuals to give their consent before a company accesses data, for example, Google has had to redesign many consent agreements, as well as change underlying technology to make it easier to remove someone’s data.

“For a company with infrastructure of our size, it takes a lot of work,” Mr. Golan said.

Facebook has also taken multiple steps to deal with the coming rules. On Sunday, the company began offering a new privacy center that puts user security settings on one page instead of dispersing them across different sections of the social network. While the company said the changes was separate from its preparations for the new European regulations, Facebook’s chief operating officer, Sheryl Sandberg, connected the two in a speech in Brussels last week.

The new privacy center would give Facebook a “very good foundation to meet all the requirements of the G.D.P.R. and to spur us on to continue investing in products and in educational tools to protect privacy,” Ms. Sandberg said.

Rob Sherman, Facebook’s deputy chief privacy officer, said the social network has also held a series of “Design Jams” where it invites designers and engineers to reimagine how products look so that people can more easily see and control their online data.

Photo

Facebook and Google have deployed hundreds of people to make sense of the new European data protection regulations.Credit Lluis Gene/Agence France-Presse — Getty Images

With the new rules coming, Facebook also decided not to roll out some products in Europe that would violate the privacy laws.

Last November, for instance, the company unveiled a program that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the program to users in Europe, where the company would have had to ask people for permission to access sensitive health data, including about their mental state. The social network has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.

Amazon, too, has made changes. Last April, the company wrote a blog post outlining its efforts to comply with the new European regulations. The internet retailer said it would strengthen the encryption around the data it stores on its cloud storage services, and reaffirmed the rights of customers to choose which region — Europe or otherwise — where they want their data stored. Amazon declined to discuss the work.

Some American tech companies said they welcomed the new data protection rules.

“We embrace G.D.P.R. because it sets a strong standard for privacy and data protection rights, which is at the core of our business,” Julie Brill, a corporate vice president and deputy general counsel at Microsoft, said in an interview. “We began work on G.D.P.R. as soon as it was adopted by the European Union. Our preparations for G.D.P.R. touch every part of our company.”

How the biggest tech companies handle the regulations will most likely influence their smaller counterparts. Angelo Spenillo, general counsel for Siteimprove, which helps companies manage their presence online, said many little tech companies have been looking toward Google and Facebook for how user privacy and data will be managed online.

“Where the bigger companies go, the smaller companies will follow suit,” he said. “We’re going to see real changes across the board.”

Ms. Jourová said as the new rules take effect, countries outside Europe could begin demanding similar data protection measures for their citizens.

“There will be a moment, especially as more and more people in the U.S. find themselves uncomfortable with the channels monitoring their private lives,” she said.

A version of this article appears in print on January 29, 2018, on Page B1 of the New York edition with the headline: Tech Giants Await Change On Privacy In Europe. Order Reprints|Today’s Paper|Subscribe

close story-meta

close story-body close supplemental

close story-body-supplemental

We’re interested in your feedback on this page. Tell us what you think.